diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 6b4e44fd..cd123bcb 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -11,6 +11,7 @@ profile gdm-xsession @{exec_path} { include include include + include include @{exec_path} mr, @@ -33,12 +34,10 @@ profile gdm-xsession @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/X11/{,**} r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, # file_inherit - /dev/tty rw, /dev/tty[0-9]* rw, profile dbus { diff --git a/apparmor.d/groups/gnome/gnome-contacts-search-provider b/apparmor.d/groups/gnome/gnome-contacts-search-provider index b505d16a..a926614e 100644 --- a/apparmor.d/groups/gnome/gnome-contacts-search-provider +++ b/apparmor.d/groups/gnome/gnome-contacts-search-provider @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/gnome-contacts-search-provider profile gnome-contacts-search-provider @{exec_path} { include + include include include @@ -21,7 +22,6 @@ profile gnome-contacts-search-provider @{exec_path} { owner @{user_share_dirs}/folks/relationships.ini r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index 87a32689..cccd460e 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/gnome-disk-image-mounter profile gnome-disk-image-mounter @{exec_path} { include + include include include include @@ -23,7 +24,6 @@ profile gnome-disk-image-mounter @{exec_path} { owner @{MOUNTS}/*/{,**} r, owner /tmp/*/{,**} r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 8a585a81..361f0186 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2017-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2017-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -8,15 +8,17 @@ abi , include @{exec_path} = /{usr/,}bin/gnome-keyring-daemon -profile gnome-keyring-daemon @{exec_path} { +profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include include capability ipc_lock, + signal (receive) set=(term) peer=gdm, signal (send) set=(term) peer=ssh-agent, @{exec_path} mr, + /{usr/,}bin/ssh-add rix, /{usr/,}bin/ssh-agent rPx, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index e1586b54..36fcf98c 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -9,13 +9,13 @@ include @{exec_path} = /{usr/,}lib/gnome-shell-calendar-server profile gnome-shell-calendar-server @{exec_path} { include + include include @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 53cb3202..1b28c901 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/gnome-system-monitor profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include + include include include @@ -34,10 +35,11 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gvfs-metadata/{,*} r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + @{run}/systemd/sessions/[0-9]*{,.ref} r, + @{sys}/devices/pci[0-9]*/**/net/*/statistics/collisions r, @{sys}/devices/pci[0-9]*/**/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/pci[0-9]*/**/net/*/statistics/tx_{bytes,errors,packets} r, @@ -60,7 +62,5 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/wchan r, @{PROC}/vmstat r, - @{run}/systemd/sessions/[0-9]*{,.ref} r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index e8176d6b..49f815d6 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/goa-daemon profile goa-daemon @{exec_path} { include + include include include include @@ -27,7 +28,6 @@ profile goa-daemon @{exec_path} { owner @{user_config_dirs}/goa-1.0/accounts.conf r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 5064f11d..1ebfacb3 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -9,18 +9,19 @@ include @{exec_path} = /{usr/,}lib/gsd-a11y-settings profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include + include signal (receive) set=(term, hup) peer=gdm*, @{exec_path} mr, + /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/dconf/profile/gdm r, + /var/lib/gdm/.config/dconf/user r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index ac69f23e..514fe6c8 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/gsd-color profile gsd-color @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -17,27 +18,25 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, /usr/share/mime/mime.cache r, /usr/share/X11/xkb/** r, + /var/lib/flatpak/exports/share/mime/mime.cache r, + /var/lib/gdm/.config/dconf/user r, /var/lib/gdm/.local/share/icc/ rw, /var/lib/gdm/.local/share/icc/edid-*.icc rw, - /var/lib/flatpak/exports/share/mime/mime.cache r, - - owner @{run}/user/@{uid}/gdm/Xauthority r, - - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/dconf/profile/gdm r, - /var/lib/gdm/.config/dconf/user r, owner @{user_share_dirs}/icc/ r, owner @{user_share_dirs}/icc/edid-*.icc rw, + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/gdm/Xauthority r, + owner /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index 80368938..61b3839d 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -9,18 +9,19 @@ include @{exec_path} = /{usr/,}lib/gsd-datetime profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include + include signal (receive) set=(term, hup) peer=gdm*, @{exec_path} mr, + /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/dconf/profile/gdm r, + /var/lib/gdm/.config/dconf/user r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index aecb4ea7..1e01a518 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -10,6 +10,7 @@ include profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include + include include signal (receive) set=(term, hup) peer=gdm*, @@ -19,16 +20,16 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { /etc/fstab r, + /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_share_dirs}/applications/ rw, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/dconf/profile/gdm r, + /var/lib/gdm/.config/dconf/user r, owner @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 957211e3..26536f29 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -10,6 +10,7 @@ include profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -20,6 +21,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, @@ -36,17 +38,14 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/event-sound-cache.tdb.* rwk, owner @{user_share_dirs}/recently-used.xbel{,.*} rw, + /var/lib/gdm/.config/dconf/user r, /var/lib/gdm/.config/pulse/client.conf r, /var/lib/gdm/.config/pulse/cookie rk, - owner @{run}/user/@{uid}/gdm/Xauthority r, - @{run}/systemd/inhibit/[0-9]*.ref rw, - - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/dconf/profile/gdm r, - /var/lib/gdm/.config/dconf/user r, + owner @{run}/user/@{uid}/gdm/Xauthority r, + @{run}/systemd/inhibit/[0-9]*.ref rw, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 5a77c0b1..2a72c531 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -10,6 +10,7 @@ include profile gsd-power @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -20,6 +21,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, @@ -28,13 +30,17 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, /var/lib/gdm/.cache/event-sound-cache.tdb.* rwk, + /var/lib/gdm/.config/dconf/user r, /var/lib/gdm/.config/pulse/client.conf r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/dconf/profile/gdm r, - /var/lib/gdm/.config/dconf/user r, + owner @{run}/user/@{uid}/gdm/Xauthority r, + + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+leds:*backlight* r, + + @{run}/systemd/inhibit/[0-9]*.ref rw, @{sys}/bus/ r, @{sys}/class/ r, @@ -52,13 +58,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { @{sys}/devices/platform/**/leds/*backlight*/max_brightness r, @{sys}/devices/platform/**/leds/*backlight*/brightness rw, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, - - @{run}/systemd/inhibit/[0-9]*.ref rw, - - owner @{run}/user/@{uid}/gdm/Xauthority r, - @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 3c6d43f0..64c202fe 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -9,18 +9,19 @@ include @{exec_path} = /{usr/,}lib/gsd-sharing profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include + include signal (receive) set=(term, hup) peer=gdm*, @{exec_path} mr, + /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/dconf/profile/gdm r, + /var/lib/gdm/.config/dconf/user r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index f1e4ff00..a5008067 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -9,18 +9,19 @@ include @{exec_path} = /{usr/,}lib/gsd-smartcard profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include + include signal (receive) set=(term, hup) peer=gdm*, @{exec_path} mr, + /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/dconf/profile/gdm r, + /var/lib/gdm/.config/dconf/user r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 4f7bec7c..95845766 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -9,12 +9,12 @@ include @{exec_path} = /{usr/,}lib/gsd-usb-protection profile gsd-usb-protection @{exec_path} { include + include @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 57be2b4c..5b0c6871 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/gsd-wacom profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -17,22 +18,20 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/machine-id r, - - /usr/share/libwacom/{,*} r, - + /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, + /usr/share/libwacom/{,*} r, /usr/share/mime/mime.cache r, /usr/share/X11/xkb/** r, - owner @{run}/user/@{uid}/gdm/Xauthority r, + /etc/machine-id r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/dconf/profile/gdm r, + owner @{run}/user/@{uid}/gdm/Xauthority r, + /var/lib/gdm/.config/dconf/user r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index daff8d92..c18b5fc4 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -39,11 +39,8 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { /etc/machine-id r, # Mount points - owner @{MOUNTS}/*/ r, - owner @{MOUNTS}/*/**/ r, - owner @{HOME}/*/*/ r, - owner @{HOME}/*/*/**/ r, - owner @{HOME}/bluetooth/ r, + owner @{MOUNTS}/**/ r, + owner @{HOME}/**/ r, owner @{run}/user/@{uid}/dconf/ w, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index 45275d6b..6238d434 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-dav profile gvfsd-dav @{exec_path} { include + include include include include @@ -27,10 +28,8 @@ profile gvfsd-dav @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mime/mime.cache r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-ftp b/apparmor.d/groups/gvfs/gvfsd-ftp index 955012d9..a700e838 100644 --- a/apparmor.d/groups/gvfs/gvfsd-ftp +++ b/apparmor.d/groups/gvfs/gvfsd-ftp @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-ftp profile gvfsd-ftp @{exec_path} { include + include include include @@ -21,11 +23,10 @@ profile gvfsd-ftp @{exec_path} { @{exec_path} mr, - include + /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 60b6d84a..bc61b9de 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-http profile gvfsd-http @{exec_path} { include + include include include include @@ -26,10 +27,8 @@ profile gvfsd-http @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - owner @{run}/user/@{uid}/gvfsd/socket-* rw, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index bb5e366a..df617a47 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,17 +11,16 @@ include @{exec_path} += @{libexec}/gvfsd-network profile gvfsd-network @{exec_path} { include + include @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 776a3cfc..209931f5 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -16,11 +17,11 @@ profile gvfsd-sftp @{exec_path} { @{exec_path} mr, + /{usr/,}bin/ssh rPx, + owner @{PROC}/@{pid}/fd/ r, /dev/ptmx rw, - /{usr/,}bin/ssh rPx, - include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb index c16978d5..989a9ad2 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb +++ b/apparmor.d/groups/gvfs/gvfsd-smb @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-smb profile gvfsd-smb @{exec_path} { include + include include network netlink raw, @@ -20,15 +22,13 @@ profile gvfsd-smb @{exec_path} { @{exec_path} mr, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - - owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/samba/smb.conf r, + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index 2fa5cb33..6ec204d0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-smb-browse profile gvfsd-smb-browse @{exec_path} { include + include include network netlink raw, @@ -20,17 +22,14 @@ profile gvfsd-smb-browse @{exec_path} { @{exec_path} mr, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - - owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/samba/smb.conf r, - owner @{run}samba/ rw, + owner @{run}/samba/ rw, + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, include if exists } diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 4ea153f2..76eeedf8 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -34,7 +34,7 @@ profile ssh @{exec_path} { owner @{HOME}/@{XDG_PROJECTS_DIR}/**/config r, /etc/ssh/ssh_config r, - /etc/ssh/ssh_config.d/ r, + /etc/ssh/ssh_config.d/{,*} r, owner @{run}/user/@{uid}/keyring/ssh rw, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 66cca7e3..56d3b9e7 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -43,10 +43,11 @@ profile systemd-logind @{exec_path} flags=(complain) { @{run}/udev/static_node-tags/uaccess/ r, @{run}/udev/data/c10:[0-9]* r, - @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* @{run}/udev/data/c116:[0-9]* r, # for ALSA + @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* @{run}/udev/data/c23[0-9]:[0-9]* r, + @{run}/udev/data/c24[0-9]:[0-9]* r, @{run}/udev/data/c29:[0-9]* r, @{run}/udev/data/c50[0-9]:[0-9]* r, @{run}/udev/data/c51[0-9]:[0-9]* r, diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index d71e7f33..55418bae 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -17,12 +17,12 @@ profile pass-import @{exec_path} { /{usr/,}bin/ r, /{usr/,}bin/pass rPx, /{usr/,}{s,}bin/ldconfig rix, - /{usr/,}bin/gcc rix, + /{usr/,}bin/gcc rix, # TODO: Test deny /{usr/,}bin/ld rix, /{usr/,}bin/python3.[0-9]* rix, /{usr/,}lib/gcc/**/collect2 rix, - /{usr/,}lib/python{2.[4-7],3,3.[0-9]*}/** w, + /{usr/,}lib/python{2.[4-7],3,3.[0-9]*}/** w, # TODO: Test deny /usr/share/file/misc/magic.mgc r, diff --git a/apparmor.d/profiles-s-z/update-desktop-database b/apparmor.d/profiles-s-z/update-desktop-database index 0ead1784..0ccc239e 100644 --- a/apparmor.d/profiles-s-z/update-desktop-database +++ b/apparmor.d/profiles-s-z/update-desktop-database @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -7,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}bin/update-desktop-database -profile update-desktop-database @{exec_path} { +profile update-desktop-database @{exec_path} flags=(attach_disconnected) { include include